Every person whose everyday work is related to modern technologies knows very well how important it is to take care of widely understood security of IT systems. One of the elements of taking care of this security is to make sure that the software used always has the latest patch package installed.

In case of JS applications, which are very often supported by many external scripts and libraries downloaded using package manager, it is crucial to take care of updating these dependencies.

Below is a Github workflow that in cron once in a specified period of time checks the validity of the dependencies found in the package.json file and based on the given configuration creates a Pull Request with the update. This workflow uses an external tool npm-check-updates.

name: Package updater
    - cron: '0 4 * * 0'

    runs-on: ubuntu-latest
    - name: Checkout Repo
      uses: actions/checkout@v2
    - name: Install lib
      run: |
        mv package.json package.tmp
        rm package-lock.json
        npm install npm-check-updates@12.1.0 --no-package-lock --no-save
        mv package.tmp package.json
    - name: Run update script
      run: |
        npx ncu --target minor --timeout 3000000 -u
        npm install --package-lock-only
    - name: Create Pull Request
      uses: peter-evans/create-pull-request@v3
        token: ${{ secrets.PERSONAL_ACCESS_TOKEN_AUTOUPDATE }}
        commit-message: AutoUpdate NPM dependencies
        committer: GitHub <noreply@github.com>
        author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
        signoff: false
        branch: autoupdate-dependencies
        delete-branch: true
        title: 'AutoUpdate NPM dependencies'
        body: AutoUpdate NPM dependencies

Workflow is triggered by cron at four a.m. on the first day of the week.

Job runs on ubuntu-latest executing sequentially:

  • Checkout Repo – downloading files from the master branch to make them available to our script.
  • Install lib – installation of npm-check-updates library.
  • Run update script – run update script with provided target: latest, minor, patch (here more details).
  • Create Pull Request – creates Pull Request in case of any changes.